Today we were phished… we didn’t take the bait!

Today, attackers launched a phishing attack against Protos Networks. As we’d expect, our security controls blocked this. However, I thought I’d document how we detected this attack using the systems we have in place, and learned more about how the attack was launched.

Quarantining the phishing email

At Protos, we use a secure email gateway for our email security. Every day, I receive a summary of all emails quarantined by the system and have the option to delete anything which is malicious or spam, or to release any emails which may have been quarantined by mistake. Today, we saw that an email saying we had an invoice overdue – this immediately set-off the spidey-senses as I know Joe, who does our finance, is a good payer!

I logged into our email security platform to check out the details of this email…

As you can see, this email purports to come from ey-ukdotcom, a domain specifically designed to look like an Ernst & Young domain – this was another red flag, as we’ve never done business with this company. The attackers were also ‘chasing’ a large amount of money (over £12,000), and were using urgent language go try and get us to pay – a common trick used by online fraudsters.

It’s difficult to say where the attackers got my email address from, however we believe they would have been stolen in a previous phishing attack on a company we have previously dealt with.

Investigating the bogus domain

Curious as I am, I decided to dig a little deeper into the domain the users had launched the attack from. My first tool of choice for this was Cisco Umbrella Investigate. This tool analyses domains on the internet, and uses machine learning and advanced threat intelligence to pre-emptively block domains used by attackers on the internet.

As you can see in the screenshot below, the domain was being blocked by Umbrella – meaning if the email had got through, and if I had clicked on it, access to the link in the email would have been blocked. The Investigate tool also tells us that this domain is associated with a Trojan attack called ‘TrickBot’. The graph showing requests to this domain is also a useful feature to us, as it shows that requests spiked today only – for a security analyst, this is invaluable evidence that we are dealing with a spear-phishing attack.

Further analysis shows us that this domain had only just been registered via GoDaddy.

Investigate also allows us to pivot into Virus Total – a website and free service owned by Google that analyses suspicious files and URLs, facilitating the quick detection of viruses, worms, trojans, and other kinds of malware.

Virus Total also reported that both Fortinet and Spamhaus had identified this domain as spam.

From the controls and tools we have at our disposal, we can clearly see that this was a spear-phishing attack. However not all businesses have the awareness or controls in place to detect and protect against these kinds of attack. A lesser-prepared company may have found themselves over £12,000 down because of this attack.

Our customers benefit from having these controls in place, as well as having a team of security professionals on-hand to help prevent these types of attack, and deal with any other security incidents which may arise.

To find out how we can help you defend against phishing attacks, please contact Protos Networks today.